How to connect with GCP using OIDC

Last updated: June 29, 2024

Integrating Spacelift with Google Cloud Platform (GCP) using OpenID Connect (OIDC)

For the full detailed guide, visit GCP OIDC Integration Documentation.

Steps Required for Setup

  1. Create a Workload Identity Pool:

    • Go to the GCP console, select the IAM service, and click on the "Workload Identity Federation" link in the left-hand menu.

    • Click on the Create pool button.

    • Give your new identity pool a name and optionally set a description.

  2. Set Up the Identity Provider:

    • In the identity pool creation form, set the Issuer URL to the URL of your Spacelift account (including the scheme).

    • Manually specify allowed audiences with the hostname of your Spacelift account.

  3. Configure Claim Mapping:

    • Map the provider Spacelift token claims (assertions) to Google attributes.

  4. Grant Impersonation Permissions:

    • Allow the workload identity pool to impersonate the service account by granting necessary permissions.

  5. Download the Configuration File:

    • After saving the configuration, download the file and change the OIDC ID token path to /mnt/workspace/spacelift.oidc.

    • The credential source should look like:

      { "credential_source":
 { "file": "/mnt/workspace/spacelift.oidc" } 
}

  6. Configure the Terraform Provider:

    • Provide a configuration file for the Google Cloud Terraform provider:

      {
  "type": "external_account",
  "audience": "//iam.googleapis.com/projects/${PROJECT_NUMBER}/locations/global/workloadIdentityPools/${WORKER_POOL_ID}/providers/${IDENTITY_PROVIDER_ID}",
  "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
  "token_url": "https://sts.googleapis.com/v1/token",
  "credential_source": {
    "file": "/mnt/workspace/spacelift.oidc"
  },
  "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${SERVICE_ACCOUNT_EMAIL}:generateAccessToken",
  "service_account_impersonation": {
    "token_lifetime_seconds": 3600
  }
}

  7. Set Environment Variables:

    • Create a GOOGLE_APPLICATION_CREDENTIALS environment variable and set it to the path of the credentials file: /mnt/workspace/spacelift.oidc

For more detailed instructions and examples, refer to the full GCP OIDC Integration Documentation .